3

I am building an internal Web API(asp.net) and I need to integrate our Okta authentication with it. I have the SDK installed through NuGet and I am able to do simple things like get a User and see there Profile.

What I really need to do though is understand how I take a User, Authenticate them through Okta, and then later validate that same User.

Here is what I have, at a basic conceptual level.

var oktaClient = new OktaClient(apiToken: "00vEX-jX3to71axEZ1L3luDfaAPH9d-ZPBV4coG2Ya", baseUri: new Uri(uriString: "https://ourcompany.oktapreview.com"));    

AuthClient authClient = oktaClient.GetAuthClient();    

AuthResponse response = authClient.Authenticate(username: "MyUserName@corp.ourcompany.com", password: "MyPassword");

AuthResponse huh = authClient.GetStatus(response.StateToken);

The problem is that my response does not contain a StateToken. It only contains a SessionToken. So, what I could really use some help with is what I'm missing.

I've looked through the Okta Music Store(https://github.com/okta/okta-music-store) demo but that doesn't seem to answer my question. Perhaps because it's an older MVC 4 app and I'm using WebApi or just because it's a more complicated example than what I am trying to accomplish I don't know.
I have also been reading through http://developer.okta.com/docs/api/getting_started/design_principles.html and I'm still not seeing what I'm missing.

Refracted Paladin
  • 12,096
  • 33
  • 123
  • 233

2 Answers2

0

I suggest that you take a look at this code sample that shows the different authentication flows.

You only get a state token if you're in an intermediary state during the sign-in process, such as being prompted for a second factor. Otherwise, you only get a session token if the sign-in process has successfully completed.

I hope that helps!

Raphael Londner
  • 512
  • 2
  • 5
0

I've been struggling with figuring stateToken out too, and after sifting through numerous useless responses to the same inquiry I finally found an answer:

state —; Protects against cross-site request forgery (CSRF). Can be any value.

Source: https://developer.okta.com/docs/guides/add-an-external-idp/apple/create-authz-url/

I found that I can indeed provide any arbitrary string, so long that it remains consistent throughout that user's authorization flow.

What I'm still not clear on, however, is how often the state token should be regenerated and what the best practice is for maintaining that value between page loads. My assumption is that it should be randomly generated and stored in session.

UPDATE: I found this page discussing how to generate state tokens, seems relevant.

https://pipedrive.readme.io/docs/marketplace-oauth-authorization-state-parameter

The method they recommend (at least for php ) is:

// Assign to state the hashing of the session ID
$state = hash('sha256', session_id());
CragMonkey
  • 808
  • 1
  • 11
  • 22